Title: The HIPAA Privacy Rule And Its Impact On Agents And Employers
1The HIPAA Privacy RuleAnd Its Impact On Agents
And Employers
National Association of Health
Underwriters Capitol Conference March 23,
2003 Joseph T. Holahan, JD Morris, Manning
Martin, LLP Washington, DC 202.408.0705 jholahan_at_m
mmlaw.com
2Road Map
- Overview of the HIPAA Privacy Rule
- Covered entities and products
- Compliance deadlines
- General requirements
- Impact on agents
- Business associate contract
- Disclosures to agents by insurers
- Impact on employers
3Covered Entities
- Health plans
- Health care providers engaging standard
electronic transactions - Health care clearinghouses
4Health PlansProvide or Pay Cost of Medical Care
- Health insurance issuers and HMOs
- Issuers of Medicare supplemental policies
- Issuers of long-term care policies (except
nursing home fixed-indemnity policies) - Group health plans (except self-administered with
fewer than 50 participants) - MEWAs
- State high risk pools
- Medicare, MedicareChoice, CHAMPUS and certain
other programs - Any other individual or group health plan that
provides or pays for the cost of medical care
5Covered Products
- Major medical
- HMO
- Dental and vision
- Most long-term care
- Medicare supplemental
- MedicareChoice
6Excluded Products
- Life
- Accident only
- Disability income
- Coverage issued as supplement to liability
insurance - Liability insurance, including general liability
and auto liability insurance - Auto medical payment
- Credit-only
- Coverage for on-site medical clinics
7Gray Area
- Specified disease
- Hospital indemnity
8Compliance Deadlines
- Most health insurance issuers and HMOs and any
group health plansApril 14, 2003 - Small health plans (annual receipts of 5 million
or less)April 14, 2004
9General Requirements
- Restricts use and disclosure of protected health
information (PHI) without written authorization - Minimum necessary standard
- Individual Rights
- Restrictions on use and disclosure
- Access
- Accounting of disclosures
- Amendment
- Business associate contracts
- Amend group health plan documents in some cases
to impose requirements on sponsor
10General Requirements, Cont.
- Notice of privacy practices
- Administrative requirements, including
- Privacy officer
- Privacy contact office
- Privacy policies and procedures
- Trainingworkforce only
11Permitted Uses and Disclosures
- Pursuant to written authorization compliant with
HIPAA - For treatment, payment or health care operations
- To individual or personal representative
- Friend, family member or other person identified
by individual with written or oral agreement - Required by law
- Regulators
- Judicial and administrative proceedings
- Law enforcement
- To health oversight agency as authorized by law
12Permitted Uses and DisclosuresHealth Care
Operations
- Health care operations include
- Activities by or on behalf of health plan
relating to the creation, renewal or replacement
of a contract for health insurance or health
benefits - Customer service by or on behalf of health plan
13Permitted Uses and DisclosuresPayment
- Payment includes
- Activities by or on behalf of health plan to
determine eligibility or coverage - Claims management by on behalf of health plan
14Disclosure By Health Plan To Agent
- Payment or health care operations
- Friend, family member or other person identified
by individual - PHI directly relevant to persons involvement in
individuals health care - Written or oral agreement, opportunity to
object and no objection or reasonable inference
of no objection based on professional judgment - Written authorization
15Required Uses and Disclosures
- Individual access to PHI
- Secretary of DHHS for investigating covered
entitys compliance
16Required Elements of the Business Associate
AgreementPart I
- Establish permitted and required uses and
disclosures of PHI by business associate - May not authorize the business associate to use
or disclose information in a way that would
violate the Privacy Rule if done by covered
entity, with exceptions where necessary for
business associates management and
administration and for data aggregation services
17Required Elements of the Business Associate
AgreementPart II
- Provide that the business associate will
- Not further use or disclose PHI other than as
permitted or required by law - Use appropriate safeguards to prevent use or
disclosure other than as provided by the
agreement - If aware of any use or disclosure not provided by
the agreement, report it to covered entity - Ensure that any agents, including subcontractors,
to whom it provides PHI agree to same restrictions
18Required Elements of the Business Associate
AgreementPart III
- Provide that the business associate will
- Make PHI available for access by the individual
- Make PHI available for amendment and incorporate
any amendments - Make PHI available to provide an accounting of
disclosures - Make its internal practices, books, and records
available to DHHS for investigating covered
entitys compliance
19Required Elements of the Business Associate
AgreementPart IV
- At termination of contract, if feasible, return
or destroy all PHI received from covered entity
or created or received on behalf of covered
entity and retain no copies. - If return or destruction not feasible, extend
protections of contract to information retained
and limit use and disclosure to purposes for
which information must be retained.
20Permitted Elements of the Business Associate
Agreement
- May permit the business associate to use and
disclose PHI as necessary for - Management and administration of its business
and - To carry out its legal responsibilities
- But unless disclosure required by law, business
associate must obtain reasonable assurances
from person to whom PHI is disclosed that - PHI will be held confidentially
- PHI will be further disclosed only as required by
law or for purpose for which it was disclosed to
the person and - Person will notify business associate of any
known breach of confidentiality
21Breach of Business Associate ContractRequired
Action By Covered Entity
- Take reasonable steps to cure the breach
- If unsuccessful, terminate contract if feasible
- If termination not feasible, report problem to
DHHS - To extent practicable, mitigate any known harm
from violation
22Group Health Plans
- Self-insured plansall of the Privacy Rules
provisions apply, including - Provide privacy notice
- Implement policies and procedures
- Train workforce
- Plans offering flexible savings accountsmay need
to treat as a self-insured plan - Insured plansdepends on how much PHI created or
received from issuer or HMO
23Insured Group Health Plans
- If group health plan creates or receives only
summary PHI and information about whether
individual has enrolled or disenrolled, duties
greatly reducedfor example - No notice required
- No need for written policies and procedures
- No training required
- If group health plan creates or receive other
PHI, then - Must maintain notice and provide on request
- All other requirements of Privacy Rule apply
24Plan Sponsor
- No requirements, if plan sponsor only receives
- Summary PHI for purpose of obtaining premium
bids or modifying, amending or terminating plan - Information on whether individual has enrolled or
disenrolled or - PHI disclosed pursuant to a written authorization
- If sponsor receives other PHI, must amend plan
documents and group health plan must receive
written certification of amendment and give notice
25Amendment of Group Health Plan Documents
- Much like business associate contract, with added
provisions - Not use or disclose PHI for employment-related
actions and decisions - Not use or disclose PHI in connection with any
other benefit or employee benefit plan of sponsor - Ensure adequate separation between group health
plan and sponsor
26Adequate Separation
- Describe employees or classes of employees and
other persons under control of plan sponsor with
access to PHI - Restrict access to and use of PHI by employees
and other persons to plan administration
functions - Provide effective mechanism for resolving issues
of noncompliance by employees and persons with
access to PHI
27The HIPAA Privacy RuleAnd Its Impact On Agents
And Employers
National Association of Health
Underwriters Capitol Conference March 23,
2003 Joseph T. Holahan, JD Morris, Manning
Martin, LLP Washington, DC 202.408.0705 jholahan_at_m
mmlaw.com